Methods, systems, and devices for federated blockchain-enabled handover authentication

ABSTRACT

Aspects of the subject disclosure may include, for example, authenticating, by a federated blockchain controller, a user equipment located within a cell coverage area of a network that includes heterogeneous cells. The federated blockchain controller can provide encryption data to the user equipment and corresponding authentication information to one or more multi-access edge computing (MEC) devices associated with the heterogeneous cells to enable secure and efficient handovers for the user equipment amongst the heterogeneous cells, without a need for additional handover reauthentication procedures. Other embodiments are disclosed.

CROSS-REFERENCE TO RELATED APPLICATION

This application is a continuation of and claims priority to U.S. patentapplication Ser. No. 16/952,201, filed Nov. 19, 2020. The contents ofthe foregoing are hereby incorporated by reference into this applicationas if set forth herein in full.

FIELD OF THE DISCLOSURE

The subject disclosure relates to federated blockchain-enabled handoverauthentications.

BACKGROUND

Some networks operate through heterogeneous cells and expand overlaycoverage. For example, a 5G network can include one or more terrestrialcells (including macrocell(s), small cell(s) or microcell(s),Wi-Fi-based cell(s), or the like) and/or one or more non-terrestrialcells (including flying cell(s), or drone cell(s), served by unmannedaerial vehicles (UAVs), satellites, or the like). In these networks,many devices, such as mobile devices, Internet-of-Things (IoT) devices,vehicles, etc., can be connected to the network and may be travelingamongst the various cells. When a device travels within a cell that hasmultiple network nodes (e.g., access points), or moves from one cell toanother, a handoff (or handover) generally occurs, where an access pointto which the device is currently connected facilitates a connectionbetween the device and another (target) access point, such that thedevice can maintain access to the network. Each handover involves anauthentication process, where a target access point authenticates (orreauthenticates) the device before establishing a connection with thedevice. In cases where a large quantity of devices is traveling amongstthe cells (e.g., in densely populated areas), the number of repeatedhandovers can become significant. This results in numerousreauthentication procedures, which can negatively impact networkperformance. Moreover, following frequent handovers, reauthenticationmechanisms can become more involved, which may lead to further networkdelays and decreased network reliability.

BRIEF DESCRIPTION OF THE DRAWINGS

Reference will now be made to the accompanying drawings, which are notnecessarily drawn to scale, and wherein:

FIG. 1 is a block diagram illustrating an exemplary, non-limitingembodiment of a communications network in accordance with variousaspects described herein.

FIG. 2A is a block diagram illustrating an example, non-limitingembodiment of a system functioning within or in conjunction with thecommunication network of FIG. 1 in accordance with various aspectsdescribed herein.

FIG. 2B depicts an illustrative embodiment of a data flow in accordancewith various aspects described herein.

FIG. 2C depicts an illustrative embodiment of a data flow in accordancewith various aspects described herein.

FIG. 2D depicts an illustrative embodiment of a method in accordancewith various aspects described herein.

FIG. 2E depicts an illustrative embodiment of a method in accordancewith various aspects described herein.

FIG. 3 is a block diagram illustrating an example, non-limitingembodiment of a virtualized communication network in accordance withvarious aspects described herein.

FIG. 4 is a block diagram of an example, non-limiting embodiment of acomputing environment in accordance with various aspects describedherein.

FIG. 5 is a block diagram of an example, non-limiting embodiment of amobile network platform in accordance with various aspects describedherein.

FIG. 6 is a block diagram of an example, non-limiting embodiment of acommunication device in accordance with various aspects describedherein.

DETAILED DESCRIPTION

The subject disclosure describes, among other things, illustrativeembodiments for a blockchain-enabled handover authentication system thatis capable of eliminating a need to reauthenticate user equipment inrepeated handovers. In exemplary embodiments, the authentication systemcan leverage a federated blockchain implementation (e.g., configured asa blockchain center or controller) and the processing capabilities ofmulti-access edge computing (MEC) to provide a shared, intelligentsolution for facilitating efficient and secure handovers. In variousembodiments, a network can include heterogeneous cells that providevarying types of radio access networks (RANs). A given cell can includeone or more access points (e.g., base stations or the like) that areaugmented by cloud computing capabilities via a MEC device. In someembodiments, the federated blockchain implementation is capable ofauthenticating a user equipment as part of an initial registrationprocess, and providing encryption data (e.g., keys) to the userequipment as well as corresponding authentication information to MECdevice(s). A MEC device in a given cell can, based on the authenticationinformation, provide validation message(s) to some or all of the accesspoints in the cell that enable each access point to establish aconnection with the user equipment in the event of a handover, withoutneeding to undergo a reauthentication process. Other embodiments aredescribed in the subject disclosure.

Employing the authentication system (e.g., in heterogeneous networks),as described herein, enables efficient handovers with reduced networkresponse delays, which might otherwise occur in cases where accesspoints are constantly undergoing reauthentication procedures.Eliminating reauthentication in repeated handovers reduces the quantityof device-related network processing operations that needs to beperformed, which conserves network resources and power resources,thereby reducing the probability of network service interruption (e.g.,voice call drops or the like). This improves network reliability,end-to-end quality of service (QoS), and overall user experience.

Additionally, incorporating a federated blockchain implementation intothe authentication system enables secure communications between devicesand the network, which improves overall network security and enhancesuser privacy. Leveraging a federated blockchain network for key orauthentication management (e.g., where a user equipment is authenticatedand provided with encryption data, and where MEC device(s) receivecorresponding authentication information that enable the MEC device(s)to facilitate handovers for the user equipment) also provides a scalableand light-weight authentication flow mechanism that reduces oreliminates a need for intermediaries to perform authenticationoperations, as federated blockchain network mining (e.g., communicationverifications) can supplant traditional key transportation handshaking,which also reduces costs. Furthermore, integrating blockchainfunctionality with a MEC architecture at an edge of a network (e.g.,proximate to or within heterogeneous cells) enables more efficientreal-time data collection, analysis, and processing near the datacollection sources, which reduces or eliminates signaling overhead andconserves energy, thereby providing a dynamic, robust, andarchitecturally evolvable network.

One or more aspects of the subject disclosure include a device,comprising a processing system including a processor, and a memory thatstores executable instructions that, when executed by the processingsystem, facilitate performance of operations. The operations can includeobtaining data relating to a user equipment, where the user equipment iscommunicatively coupled to a first access point of a plurality of accesspoints, and where the plurality of access points is associated with afirst cell of a plurality of heterogeneous cells of a network. Further,the operations can include receiving, from a blockchain controller, anauthentication information vector, where the authentication informationvector is associated with a block of data of a blockchain stored in theblockchain controller. Furthermore, the operations can includedetermining that the authentication information vector corresponds tothe user equipment based on the data relating to the user equipment,generating a validation message responsive to determining that theauthentication information vector corresponds to the user equipment, andtransmitting the validation message to a second access point of theplurality of access points, where the validation message enables thesecond access point to proceed with a handover for the user equipmentwithout undergoing a handover authentication procedure.

One or more aspects of the subject disclosure include a machine-readablestorage device, comprising executable instructions that, when executedby a processing system including a processor, facilitate performance ofoperations. The operations can include providing, to a blockchaincontroller, data relating to a user equipment to authenticate the userequipment, where the user equipment is communicatively coupled to anetwork via a first access point, and where the first access point isassociated with a first cell of a plurality of heterogeneous cells ofthe network. Further, the operations can include obtaining, from theblockchain controller, encryption data, where the encryption data isassociated with a block of data of a blockchain accessible to theblockchain controller, where the encryption data facilitates creation ofan authentication information vector to be provided to a multi-accessedge computing (MEC) device that corresponds to a second access pointassociated with a second cell of the plurality of heterogeneous cells ofthe network, and where the authentication information vector enables theMEC device to provide, to the second access point, a validation messagerelating to the user equipment. Furthermore, the operations can includecommunicating with the second access point to effect a handover for theuser equipment from the first cell to the second cell, where thevalidation message enables the second access point to proceed with thehandover for the user equipment without undergoing a handoverauthentication procedure.

One or more aspects of the subject disclosure include a method. Themethod can include obtaining, by a processing system including aprocessor, data relating to a user equipment, where the data includesinformation identifying the user equipment, and where the user equipmentis communicatively coupled to a first access point associated with afirst cell of a plurality of heterogeneous cells of a network. Themethod can further include authenticating, by the processing system, theuser equipment according to the data relating to the user equipment,where the authenticating the user equipment includes verifying theinformation identifying the user equipment and updating a blockchainwith a block of data according to the verifying the informationidentifying the user equipment. The method can further includeproviding, by the processing system, encryption data to the userequipment responsive to the authenticating the user equipment,transmitting, by the processing system, an authentication informationvector to a first multi-access edge computing (MEC) device, where theauthentication information vector corresponds to the encryption data andenables the first MEC device to cause a second access point associatedwith the first cell to perform handovers for the user equipment withouta need for the second access point to undergo a handover authenticationprocedure.

Referring now to FIG. 1 , a block diagram is shown illustrating anexample, non-limiting embodiment of a communications network or system100 in accordance with various aspects described herein. For example,the communications system 100 can facilitate in whole or in partproviding federated blockchain-based handover authentications.

The communications network 125 provides broadband access 110 to aplurality of data terminals 114 via access terminal 112, wireless access120 to a plurality of mobile devices 124 and vehicle 126 via basestation or access point 122, voice access 130 to a plurality oftelephony devices 134, via switching device 132 and/or media access 140to a plurality of audio/video display devices 144 via media terminal142. In addition, communication network 125 is coupled to one or morecontent sources 175 of audio, video, graphics, text and/or other media.While broadband access 110, wireless access 120, voice access 130 andmedia access 140 are shown separately, one or more of these forms ofaccess can be combined to provide multiple access services to a singleclient device (e.g., mobile devices 124 can receive media content viamedia terminal 142, data terminal 114 can be provided voice access viaswitching device 132, and so on).

The communications network 125 includes a plurality of network elements(NE) 150, 152, 154, 156, etc. for facilitating the broadband access 110,wireless access 120, voice access 130, media access 140 and/or thedistribution of content from content sources 175. The communicationsnetwork 125 can include a circuit switched or packet switched network, avoice over Internet protocol (VoIP) network, Internet protocol (IP)network, a cable network, a passive or active optical network, a 4G, 5G,or higher generation wireless access network, WIMAX network,UltraWideband network, personal area network or other wireless accessnetwork, a broadcast satellite network and/or other communicationsnetwork.

In various embodiments, the access terminal 112 can include a digitalsubscriber line access multiplexer (DSLAM), cable modem terminationsystem (CMTS), optical line terminal (OLT) and/or other access terminal.The data terminals 114 can include personal computers, laptop computers,netbook computers, tablets or other computing devices along with digitalsubscriber line (DSL) modems, data over coax service interfacespecification (DOCSIS) modems or other cable modems, a wireless modemsuch as a 4G, 5G, or higher generation modem, an optical modem and/orother access devices.

In various embodiments, the base station or access point 122 can includea 4G, 5G, or higher generation base station, an access point thatoperates via an 802.11 standard such as 802.11n, 802.11ac or otherwireless access terminal. The mobile devices 124 can include mobilephones, e-readers, tablets, phablets, wireless modems, and/or othermobile computing devices.

In various embodiments, the switching device 132 can include a privatebranch exchange or central office switch, a media services gateway, VoIPgateway or other gateway device and/or other switching device. Thetelephony devices 134 can include traditional telephones (with orwithout a terminal adapter), VoIP telephones and/or other telephonydevices.

In various embodiments, the media terminal 142 can include a cablehead-end or other TV head-end, a satellite receiver, gateway or othermedia terminal 142. The display devices 144 can include televisions withor without a set top box, personal computers and/or other displaydevices.

In various embodiments, the content sources 175 include broadcasttelevision and radio sources, video on demand platforms and streamingvideo and audio services platforms, one or more content data networks,data servers, web servers and other content servers, and/or othersources of media.

In various embodiments, the communications network 125 can includewired, optical and/or wireless links and the network elements 150, 152,154, 156, etc. can include service switching points, signal transferpoints, service control points, network gateways, media distributionhubs, servers, firewalls, routers, edge devices, switches and othernetwork nodes for routing and controlling communications traffic overwired, optical and wireless links as part of the Internet and otherpublic networks as well as one or more private networks, for managingsubscriber access, for billing and network management and for supportingother network functions.

FIG. 2A is a block diagram illustrating an example, non-limitingembodiment of a network system 200 that leverages a federated blockchainnetwork and network edge computing capabilities to provide secure andefficient handover authentications for user equipment. The networksystem 200 can function in, or in conjunction with, variouscommunication systems and networks including the communications system100 of FIG. 1 in accordance with various aspects described herein.

As shown in FIG. 2A, the network system 200 can include cells A1, B1,C1, D1, and E1. In various embodiments, the cells A1-E1 can beheterogeneous cells that provide access to the network system 200 usingdifferent types of radio access technologies. In some embodiments, cellsA1-D1 can be terrestrial cells (e.g., one or more macrocells, smallcells or microcells, Wi-Fi-based cell(s), or the like) and cell E1 canbe a non-terrestrial cell (e.g., a flying cell, or drone cell, served byUAVs and/or the like). In various embodiments, the network system 200can include various heterogeneous cell configurations with variousquantities of cells and/or various types of cells.

User equipment, such as the user equipment 207 and 208, can be locatedwithin a cell coverage area of the network system 200, provided by cellsA1-E1, and may travel amongst various ones of the cells A1-E1 (e.g., asshown by reference numbers 207M and 208M). The user equipment 207 and208 can each include one or more data terminals 114, one or more mobiledevices 124, one or more vehicles 126, one or more display devices 144,or one or more other client devices.

Each of the cells A1-D1 can include, or be associated with, one or moreaccess points (e.g., base stations or the like) that each provides aradio access technology capable of facilitating communications betweenthe user equipment 207 and/or 208 and a core network 245 of the networksystem 200. Each of the cells A1-D1 can also be associated with a MECdevice. As the name/nomenclature implies, a MEC device may be locatedat, or proximate, to an edge of the network system 200, which may beuseful in reducing (e.g., minimizing) delays associated withprovisioning of data or services to one or more (requesting) devices.

As shown in FIG. 2A, the cell A1 can include a MEC Hub device 210 andaccess points 212 and 213, the cell B1 can include a MEC device 220 andan access point 222, and the cell C1 can include a MEC device 230 and anaccess point 232. As further shown in FIG. 2A, the cell D1 can include aMEC device 240 and an access point 242 and the cell E1 can include oneor more UAVs that provide extended access to the network system 200. Invarious embodiments, each of the MEC Hub device 210 and the MEC devices220, 230, and 240 can function as a controller in the respectiveheterogeneous cell. In some embodiments, one or more of the MEC Hubdevice 210 and the MEC devices 220, 230, and 240 can additionallyfunction as a controller for non-terrestrial cells. For example, the MECHub device 210 can be configured to at least partially control the UAVsin the cell E1. Continuing with the example, in a case where the UAVsare redirected to a different geographical area, such as to the east ofthe cell D1, the MEC device 240 can be configured to at least partiallycontrol the UAVs.

As shown in FIG. 2A, the MEC Hub device 210 and the MEC devices 220,230, and 240 can be communicatively coupled to one another via aninterface 211. The interface 211 can be a wired and/or a wirelessinterface. In some embodiments, the interface 211 can include fibercable(s), hybrid fiber-coaxial (HFC) cable(s), or the like. In someembodiments, the MEC Hub device 210 can function as a centralized MECnode for the various cells A1-E1. For example, in a network disasterrecovery situation, the MEC Hub device 210 can function as a master MECin the multiple-cell infrastructure and coordinate operations of the MECdevices 220, 230, and/or 240.

In various embodiments, each of the MEC Hub device 210 and the MECdevices 220, 230, and 240 can store data relating to user equipment,such as the user equipment 207 and 208, in a data structure (e.g., adatabase, an array, a linked list, a table, a trie, and/or the like). Invarious embodiments, some (e.g., one or more) of the MEC Hub device 210and the MEC devices 220, 230, and 240 can store the data, and others ofthe MEC Hub device 210 and the MEC devices 220, 230, and 240 can accessthe stored data therefrom (e.g., via the interface 211). In someembodiments, a MEC device can receive the data from an associated accesspoint (e.g., one or more of access points 212, 213, 222, 232, and 242)and/or from one or more of the other MEC devices (e.g., via theinterface 211). The data relating to a user equipment can include, forexample, information regarding an identity of the user equipment, acurrent location of the user equipment, current signal strength(s) ofnearby access points as measured by the user equipment, a direction ofmovement of the user equipment, a speed of travel of the user equipment,physical layer properties of the user equipment, signal round trip times(RTT), authentication information (e.g., public and/or private keyassignment(s) that might be provided by a blockchain controller, such asthe blockchain controller 205 described in more detail below),information relating to facilitating handovers (e.g., handover criteria,conditions, and/or processes, historical information regarding priorhandovers, or the like), etc. In various embodiments, the MEC Hub device210 and the MEC devices 220, 230, and 240 can dynamically update entriesin the data structure in real-time, or near real-time, as updated datarelating to user equipment is received.

In various embodiments, each of the MEC Hub device 210 and the MECdevices 220, 230, and 240 can manage an inventory of associated accesspoints, such as access points 212, 213, 222, 232, and 242, and can storedata relating to such access points in a data structure (e.g., adatabase, an array, a linked list, a table, a trie, and/or the like).The data relating to an access point can include, for example,information regarding an identity of the access point (e.g., a physicalcell identifier (PCI) or the like), a location of the access point,actual or estimated available bandwidth of the access point, throughputof the access point, etc. In various embodiments, the MEC Hub device 210and the MEC devices 220, 230, and 240 can dynamically update entries inthe data structure in real-time, or near real-time, as updated datarelating to the associated access points is received.

As shown in FIG. 2A, the network system 200 can include a blockchaincenter (or controller) 205. The blockchain controller 205 can becommunicatively coupled to each of the MEC Hub device 210 and the MECdevices 220, 230, and 240. As shown in FIG. 2A, the network system 200can include blockchain agents (BC agents) 214, 224, 234, and 244,respectively associated with the MEC Hub device 210 and the MEC devices220, 230, and 240. In various embodiments, the blockchain controller 205can exchange communications with the MEC Hub device 210 and the MECdevices 220, 230, and 240 via the respective BC agents 214, 224, 234,and 244. In some embodiments, the blockchain controller 205 maycommunicate with only one of the MEC Hub device 210 and the MEC devices220, 230, and 240, such as with only the MEC Hub device 210 via BC agent214. In such a case, for example, the MEC Hub device 210, can exchangecommunications between the blockchain controller 205 and each of the MECdevices 220, 230, and 240 via the interface 211. Communications caninclude, for example, authentication information vector(s), provided bythe blockchain controller 205, that the MEC devices 220, 230, and/or 240can utilize to facilitate respective access points 222, 232, and/or 242in effecting (or otherwise direct such access point(s) to effect)handovers for user equipment, such as the user equipment 207 and/or 208,without a need to undergo reauthentication procedures for the userequipment (e.g., as described in more detail below).

In some embodiments, the BC agents 214, 224, 234, and 244 can each beimplemented in software and/or firmware located in a device that isseparate from the respective one of the MEC Hub device 210 and the MECdevices 220, 230, and 240. Additionally, or alternatively, the BC agents214, 224, 234, and 244 can each be implemented in software and/orfirmware located in the respective one of the MEC Hub device 210 and theMEC devices 220, 230, and 240.

Although the blockchain controller 205 is shown in FIG. 2A as a singledevice, it is to be understood and appreciated that the blockchaincontroller 205 can include, or span, multiple network devices or nodes.In various embodiments, the blockchain controller 205 can be implementedas a federated blockchain network. The federated blockchain network canregulate user access so as to prevent users from exhausting thecomputational resources of the federated blockchain network. In someembodiments, the federated blockchain network can include resources thatspan public blockchain nodes, private cloud service provider (CSP)nodes, and/or the like, which can secure the federated blockchainnetwork from public cyberattacks. In some embodiments, the federatedblockchain network can include resources that span more than one trustedCSP, and thus have a more decentralized architecture than a conventionalprivate blockchain network (that is typically constrained to one CSP),which makes the federated blockchain network more reliable and furthersecures the federated blockchain network from attack.

In various embodiments, the blockchain controller 205 can be configuredto perform user equipment registration or authentication, and providecorresponding authentication information to one or more of the MEC Hubdevice 210 and the MEC devices 220, 230, and 240 to facilitate secureand efficient handovers amongst the cells A1-E1, without the need forrepeated reauthentications. For example, upon registering orauthenticating the user equipment 207, and providing correspondingauthentication information to one or more of the MEC Hub device 210 andthe MEC devices 220, 230, and 240, such MEC device(s) can facilitate, orotherwise cause, respective access points (e.g., access points 212, 213,222, 232, and/or 242) to effect handovers for the user equipment 230from one cell to another cell and so on, without the access point(s), orassociated device(s), having to perform any reauthentications of theuser equipment 207. In some embodiments, the blockchain controller 205can, via one or more nodes of the federated blockchain network, receivedata relating to user equipment, such as the user equipment 207 and/or208. The data relating to the user equipment can include, for example,information regarding an identity of the user equipment, a currentlocation of the user equipment, current signal strength(s) of nearbyaccess points as measured by the user equipment, a direction of movementof the user equipment, a speed of travel of the user equipment, physicallayer properties of the user equipment, signal RTT, other real-time, ornear real-time, measurement data, etc.

In some embodiments, the blockchain controller 205 can receive the datarelating to a user equipment, such as the user equipment 207 and/or 208,directly from the user equipment (e.g., via an interface, such as awireless interface). In some embodiments, in a case where there does notexist a direct connection channel between a user equipment and theblockchain controller 205, for example, a MEC device (e.g., MEC Hubdevice 210 or one of MEC devices 220, 230, and 240) can receive the datarelating to the user equipment (e.g., as described above), and providethe data to the blockchain controller 205.

As shown by reference number 206A, the blockchain controller 205 canprocess the data to register, or otherwise authenticate, the userequipment. In various embodiments, multiple nodes of the blockchaincontroller 205 can process the data, which may include, for example,accessing one or more server devices of the network system 200, such asauthentication server device(s), to verify the identity of the userequipment. In some embodiments, the blockchain controller 205 can updatea blockchain with a transaction or block of data based on the processing(e.g., which may include validity verifications). In variousembodiments, a majority of the nodes of the federated blockchain networkmay need to verify the validity of each block of data to be added to theblock, which improves the integrity of the blockchain and providessecure user equipment authentication on the network.

As shown by reference number 206B, the blockchain controller 205 canprovide encryption data (e.g., including one or more public and/orprivate key pairs or the like) to the user equipment 207 and/or 208. Asshown by reference number 206C, the blockchain controller 205 canprovide the MEC Hub device 210 and the MEC devices 220, 230, and 240with access to authentication information that corresponds to theencryption data and/or that is associated with the block of data in theblockchain to enable the MEC Hub device 210, and the MEC devices 220,230, and 240 to facilitate secure and efficient handovers. In someembodiments, the blockchain controller 205 can provide theauthentication information in the form of an authentication informationvector that includes information identifying the user equipment and/orsome or all of the public and/or private keys included in the encryptiondata. In various embodiments, a MEC device, such as the MEC Hub device210 or one of the MEC devices 220, 230, and 240, can determine whetheran authentication information vector corresponds to a particular userequipment, such as the user equipment 207, by matching informationidentifying the user equipment (e.g., which may be included in theauthentication information vector) with identification informationincluded in data relating to the user equipment received from an accesspoint, such as one of access points 212, 213, 222, 232, and 242.

As shown by reference number 206D, one or more of the MEC Hub device 210and the MEC devices 220, 230, and 240 can provide information regardingthe user equipment 207, such as validation message(s) that includepublic key(s) or the like associated with the user equipment 207, toassociated access points (e.g., access points 212, 213, 222, 232, and/or242), to enable such access points to identify the user equipment 207 inthe event of a handover. In this way, the blockchain-enabled handoverauthentication system can leverage edge computing resources of a networkto provide secure and efficient handovers without a need for repeatedhandover authentications.

As an example, in a case where the user equipment 207 has alreadyregistered with the blockchain controller 205, and travels along thepath 207M, from the cell A1 toward the cell B1, the MEC device 220 candetect the user equipment 207's approach (e.g., from data relating tothe user equipment 207 received from the access point 222 and/or fromthe MEC Hub device 210), determine a correspondence betweenidentification information for the user equipment 207 and authenticationinformation received from the blockchain controller 205, generate avalidation message (e.g., that includes some or all of the public and/orprivate keys associated with the user equipment 207), and provide thevalidation message to the access point 222. Continuing with the example,the validation message can enable the access point 222 to identify, andsecurely establish a communication session with, the user equipment 207,without the access point 222 needing or having to undergo a handoverauthentication procedure. This reduces or eliminates a need for theaccess point 222 to perform additional actions that might otherwise berequired in a handover authentication (or reauthentication), such assubmitting one or more authentication or verification requests to serverdevice(s) of the network system 200, receiving responses to the requests(e.g., validation data or responses), processing the responses, etc. Invarious embodiments, an access point can nevertheless transmitauthentication or verification request(s) to the server device(s) toverify a user equipment, and the access point can perform handover(s)based on any validation response(s) to the request(s) or, alternatively,perform handover(s) regardless of the validation response(s), such as bynot using the validation response(s) as part of performing thehandover(s).

In some embodiments, a MEC device, such as the MEC Hub device 210 or oneof the MEC devices 220, 230, and 240, can facilitate initialregistration or authentication of a user equipment, such as the userequipment 207. In some embodiments, the MEC device can facilitate theinitial registration or authentication of the user equipment based ondetermining that the user equipment is moving toward a cell, such as byperforming a trajectory analysis of the user equipment to predict afuture location of the user equipment according to data relating to theuser equipment (e.g., information regarding a current location of theuser equipment, information regarding a speed of travel of the userequipment, information regarding a direction of travel of the userequipment, historical location information relating to the userequipment and/or other user equipment, behavior information relating tothe user equipment and/or other user equipment, and so on). For example,in a case where the user equipment 207 is currently in an ongoingcommunication session (e.g., a voice call session, a video call session,and/or a data transfer session, such as a data upload session and/or adata download session) and is moving toward a target cell (thuspotentially necessitating a handover), a corresponding MEC device (e.g.,the MEC Hub device 210 or one of the MEC devices 220, 230, and 240),associated with the cell in which the user equipment 207 is located (orassociated with the target cell), can detect, based on up-to-date,real-time, or near real-time, data relating to the user equipment 207,such movement of the user equipment 207, and coordinate communicationsbetween the blockchain controller 205 and the user equipment 207 tofacilitate initial registration/authentication as needed. In variousembodiments, the corresponding MEC device can determine a need tofacilitate initial registration/authentication based on an absence ofauthentication information for the user equipment 207. In someembodiments, after registration or authentication is complete, a userequipment may not need to further communicate with the blockchaincontroller 205 (e.g., at least for a duration of the ongoingcommunication session, or longer). In various embodiments, once a userequipment has been registered or authenticated, no additionalreauthentications are needed regardless of a quantity of repeatedhandovers that might occur during an ongoing communication session.

In some embodiments, the blockchain controller 205 can be configured torequire registration, or authentication, of a user equipment prior toinitiation (e.g., within a threshold time prior to initiation) of acommunication session at a user equipment, such as a voice call session,a video call session, and/or a data transfer session. In such a case, acorresponding MEC device (e.g., MEC Hub device 210 or one of the MECdevices 220, 230, and 240), associated with the cell in which the userequipment is located, can detect that a communication session is to beinitiated for the user equipment (e.g., based on data relating to theuser equipment or the like), and coordinate communications between theblockchain controller 205 and the user equipment to facilitateregistration or authentication as needed.

In various embodiments, registration or authentication of a userequipment by the blockchain controller 205 can remain valid so long asone or more conditions are satisfied. For example, successfulregistration or authentication of a user equipment can remain validindefinitely, can remain valid only for a duration of an ongoingcommunication session, can remain valid for a predefined amount of time,can remain valid so long as the user equipment remains within a cellcoverage area of the network system 200, etc. Maintaining such validitycan reduce or eliminate a need for access points to undergo handoverauthentication procedures for the user equipment, for example, until theone or more conditions are no longer satisfied.

As shown in FIG. 2A, the blockchain controller 205 can include anAuthControl module 205A and a secinfo module 205F, which can beconfigured to perform various actions or operations described above withrespect to the blockchain controller 205. In various embodiments, theAuthControl module 205A can be configured to process data relating to auser equipment, such as user equipment 207, to read, identify, orotherwise extract, one or more data items relating to the userequipment, and provide the data items to the secinfo module 205F. Thedata items can include, for example, information regarding an identityof the user equipment, a current location of the user equipment, currentsignal strength(s) of nearby access points detected by the userequipment, a direction of movement of the user equipment, a speed oftravel of the user equipment, physical layer properties of the userequipment, signal RTT, etc. In various embodiments, the AuthControlmodule 205A can generate, assign, and/or provide, encryption data (e.g.,the encryption data described above), including public and private keys(e.g., one or more pairs of public and private keys or the like), to theuser equipment for use with future handovers.

In various embodiments, the secinfo module 205F can process the dataitems, including the public and private key(s), such as by encryptingthe data items and/or packaging the data items into an authenticationinformation vector (e.g., the authentication information vectordescribed above). In various embodiments, the secinfo module 205F cantransmit, or otherwise distribute, the authentication information vectorto one or more of the MEC Hub device 210 and the MEC devices 220, 230,and 240.

In some embodiments, in a case where a MEC device, such as the MEC Hubdevice 210 or one of the MEC devices 220, 230, and 240, determines thata user equipment (e.g., user equipment 207) is traveling towards anothercell, the MEC device can provide a notification to the blockchaincontroller 205. The notification can include, for example, informationregarding an identity of the user equipment, a speed of travel of theuser equipment, a direction of travel of the user equipment, a currentposition of the user equipment, trajectory analysis information (e.g.,as described above), and/or the like. In such a case, the secinfo module205F can access a data structure (e.g., a database, an array, a linkedlist, a table, a trie, and/or the like) accessible to the blockchaincontroller 205 to confirm whether the user equipment has already beenauthenticated. In a case where the secinfo module 205F determines thatthe user equipment has not yet been authenticated, the secinfo module205F can instruct the AuthControl module 205A to attempt to register orauthenticate the user equipment, e.g., in a manner similar to thatdescribed above.

In some embodiments, the blockchain controller 205 (e.g., the secinfomodule 205F) can be configured to similarly determine whether a userequipment, such as the user equipment 207, is traveling towards anothercell (e.g., based on a speed of travel of the user equipment, adirection of travel of the user equipment, and/or a current position ofthe user equipment).

In various embodiments, the blockchain controller 205 can be configuredto detect and address potential network attacks or suspicious userequipment behavior. For example, in some embodiments, the blockchaincontroller 205 can initiate a timer (or timeout) ‘T’ that is equal, ornear equal, to an amount of time until the handover is expected tooccur, and include the timer in an authentication information vector tobe provided to a corresponding MEC device, such as the MEC Hub device210 or one of the MEC devices 220, 230, and 240. The MEC device can, inturn, include the timer in a validation message to be provided to theassociated access point, such as the access point 212, 213, 222, 232, or242. The access point can monitor the timer, and in a case where thetimer expires and the handover does not occur, the access point cannotify the MEC device, which can, in turn, notify the blockchaincontroller 205. The blockchain controller 205 can, based on thenotification, perform verification operation(s) on one or more blocks ofdata in the blockchain to determine whether there is a potential networkcompromise or suspicious user equipment behavior. In a case where suchverifications fail or the like, for example, the blockchain controller205 can define access limits (e.g., block the user equipment or thelike) and notify some or all of the MEC devices, such as MEC Hub device210 and MEC devices 220, 230, and 240, to similarly configure accesslimits at the associated access points.

In some embodiments, the blockchain controller 205 can be configured todetermine whether to confirm prior authentication of a user equipment,such as the user equipment 207, based on one or more criteria. Thecriteria can relate, for example, to a subscription plan associated withthe user equipment, a type or priority level of an ongoing communicationsession at the user equipment, a risk-level of an ongoing communicationsession at the user equipment, historical activity of the userequipment, and/or the like. For example, the blockchain controller 205can decide to confirm prior authentication of a user equipment dependingon whether an ongoing communication has high priority (e.g., involves asensitive service or is mission critical, such as an emergency callbeing conducted by emergency personnel or the like), has low priority(e.g., is for a user equipment associated with low QoS requirements),appears to be risky (e.g., based on data traffic patterns or the like),etc.

In various embodiments, the core network 245 can be, or include, acloud-based platform, a non-cloud-based platform, a hybrid platform thatis partially cloud-based and partially non-cloud-based, and/or the like.In some embodiments, the core network 245 can be configured to providereal-time, central network analytics and/or offline analytics-level datamining functionality for network system 200. In various embodiments, thecore network 245 can receive various measurement data (e.g., relating totiming, signal strengths, bandwidth availability, etc.) from some or allof the devices in the various cells A1-E1, and process the measurementdata to determine the operating status or condition of individual RANsas well as of the overall network system 200.

In some embodiments, the core network 245, along with the blockchaincontroller 205, the MEC Hub device 210, the MEC devices 220, 230, and240, and the BC agents 214, 224, 234, and 244, can be implemented as asoftware defined network (SDN). In these embodiments, the core network245 can provide direct control of each of these devices or components.This enables a federated blockchain-enabled MEC authenticationimplementation that can be further enhanced by network analytics. Invarious embodiments, the SDN can receive, in real-time or nearreal-time, data relating to a user equipment, such as identificationinformation for the user equipment 207, information regarding a currentlocation of the user equipment 207, current signal strength(s) of nearbyaccess points detected by the user equipment 207, a direction ofmovement of the user equipment 207, a speed of travel of the userequipment 207, physical layer properties of the user equipment 207,signal RTT, Internet Protocol (IP) address(es), etc. The SDN candetermine a possible future location of the user equipment based on thedata, identify a MEC device associated with that location, and configureappropriate flow table(s) for that MEC device to accelerate the overallhandover authentication process. By predicting a likely travel route ofa user equipment, the SDN controller can securely and efficientlyservice the user equipment as handovers are needed.

In some embodiments, the core network 245 can generate policies and/orrules for one or more of the blockchain controller 205, the MEC Hubdevice 210, and the MEC devices 220, 230, and 240 based on networkanalytics, and apply such policies and/or rules thereto (e.g., in theform of tables stored in these devices or components). The core network245 can generate various types of policies or rules based on a varietyof inputs, such as, for example, a user equipment's associatedsubscription plan, QoS requirement(s), a current time of day, a currentday of week, month, or year, cell bandwidth availability, quantity ofdevices in a given cell, etc. As an example, in a case where a userequipment, such as the user equipment 207, is to undergo a handover froma current, serving cell to a target cell, but there is congestion in thetarget cell, an ongoing call session at the user equipment mighttypically terminate. However, the core network 245 can determine, basedon current network analytics, that there are alternative neighboring,terrestrial cell(s) or non-terrestrial cell(s) (e.g., served bysatellites and/or UAVs) that can service the user equipment, andfacilitate an alternative handover based on this determination. In sucha case, the core network 245 can provide a policy or rule to the MECdevice of the current cell and/or the MEC device of an alternativetarget cell to facilitate the handover.

It is to be understood and appreciated that the quantity and arrangementof controllers, modules, devices, and networks shown in FIG. 2A areprovided as an example. In practice, there may be additionalcontrollers, modules, devices, and/or networks, fewer controllers,modules, devices, and/or networks, different controllers, modules,devices, and/or networks, or differently arranged controllers, modules,devices, and/or networks than those shown in FIG. 2A. For example, thenetwork system 200 can include more or fewer blockchain controllers,AuthControl modules, secinfo modules, MEC Hub devices, MEC devices, BCagents, access points, cells, UAVs, user equipment, etc. Furthermore,two or more controllers, modules, or devices shown in FIG. 2A may beimplemented within a single controller, module, or device, or a singlecontroller, module, or device shown in FIG. 2A may be implemented asmultiple, distributed controllers, modules, or devices (e.g., in adistributed and/or virtual environment). Additionally, or alternatively,a set of controllers, modules, or devices (e.g., one or morecontrollers, modules, or devices) of the network system 200 may performone or more functions described as being performed by another set ofcontrollers, modules, or devices of the network system 200. For example,although the blockchain controller 205 has been described herein asbeing separately implemented from the various MEC devices, such as theMEC Hub device 210 and the MEC devices 220, 230, and 240, in someembodiments, a portion or all of the functionality of the blockchaincontroller 205 can be implemented in one or more of the MEC Hub device210 and the MEC devices 220, 230, and 240.

FIG. 2B depicts an illustrative embodiment of a data flow 270 inaccordance with various aspects described herein. Data flow 270illustrates registration or authentication of the user equipment 207 bythe blockchain controller 205, and facilitation, by the MEC Hub device210, of a handover for the user equipment 207 between the access points212 and 213, without a need for the access point 213 to effect ahandover authentication procedure.

At 270A, the blockchain controller 205 can receive data relating to theuser equipment 207. For example, the blockchain controller 205 canreceive data relating to the user equipment 207 in a manner similar tothat described above with respect to the network system 200 of FIG. 2A.As an example, the data can serve as a request to register orauthenticate the user equipment 207, and can include informationregarding an identity of the user equipment 207, a current location ofthe user equipment 207, current signal strength(s) of nearby accesspoints detected by the user equipment 207, a direction of movement ofthe user equipment 207, a speed of travel of the user equipment 207,physical layer properties of the user equipment 207, signal RTT, etc. Insome embodiments, the AuthControl module 205A of the blockchaincontroller 205 can receive the data relating to the user equipment 207.

At 270B, the blockchain controller 205 can provide encryption data tothe user equipment 207. For example, the blockchain controller 205 canprovide encryption data in a manner similar to that described above withrespect to the network system 200 of FIG. 2A. As an example, theencryption data can include one or more public and private key pairs.

At 270C, the blockchain controller 205 can transmit an authenticationinformation vector to the MEC Hub device 210. For example, theblockchain controller 205 can transmit an authentication informationvector to the MEC Hub device 210 in a manner similar to that describedabove with respect to the network system 200 of FIG. 2A. As an example,the authentication information vector can correspond to the encryptiondata (e.g., can include some or all of the public and/or private keysincluded in the encryption data). In some embodiments, the secinfomodule 205F can generate the authentication information vector byencrypting one or more data packages (e.g., one or more capsuled datapackages) including some or all of the public and/or private keys.

At 270D and 270E, the MEC Hub device 210 can provide a validationmessage to each of the access points 212 and 213. For example, the MECHub device 210 can provide validation messages to access points 212 and213 in a manner similar to that described above with respect to thenetwork system 200 of FIG. 2A. As an example, each validation messagecan correspond to the encryption data provided by the blockchaincontroller 205 to the user equipment 207.

At 270F, the user equipment 207 can establish a connection with theaccess point 212. At 270G, the user equipment 207, the access point 212,and/or the access point 213 can determine that a handover of the userequipment 207 to the access point 213 is needed, and perform thehandover for the user equipment 207 (e.g., in a manner similar to thatdescribed above with respect to FIG. 2A). In some embodiments, theaccess point 212 and/or the access point 213 can determine that thehandover is needed based on data relating to the user equipment 207,such as information regarding movement of the user equipment 207 towardthe access point 213. In various embodiments, the access point 212and/or the access point 213 can utilize the validation message (e.g.,contents therein, such as public keys, identification information, etc.)to identify the user equipment 207 prior to effecting the handover. Thisprovides for a secure, efficient, and seamless handover that eliminatesa need for any of the access points 212 and 213 to perform additionalactions, such as accessing other network resources to reauthenticate theuser equipment 207.

At 270H, the access point 213 can provide a notification to the MEC Hubdevice 210 regarding an upcoming handover. In some embodiments, the MECHub device 210 can update one or more entries (associated with the userequipment 207) in a data structure based on the notification. At 270J,the user equipment 207 can establish a connection with the access point213. For example, the access point 213 can, based on identifying theuser equipment 207 using the validation message, permit establishment ofthe connection with the user equipment 207. At 270K, the user equipment207 can disconnect from the access point 212.

FIG. 2C depicts an illustrative embodiment of a data flow 280 inaccordance with various aspects described herein. Data flow 280illustrates a handover procedure, involving the user equipment 207,among two heterogeneous cells (e.g., in a 4G network, a 5G network, ahigher generation network, or the like). Data flow 280 can begin afterthe blockchain controller 205 has registered or authenticated the userequipment 207.

At 280A, the blockchain controller 205 can transmit (e.g., via the BCagent 224) an authentication information vector to the MEC device 220.At 280B, the blockchain controller 205 can similarly transmit (e.g., viathe BC agent 234) an authentication information vector to the MEC device230. For example, the blockchain controller 205 can transmit theauthentication information vectors to the MEC devices 220 and 230 in amanner similar to that described above with respect to the networksystem 200 of FIG. 2A. As an example, each authentication informationvector can include one or more public keys assigned to the userequipment 207 (and included in encryption data provided by theblockchain controller 205 to the user equipment 207).

At 280C, the MEC device 220 can provide a validation message to theaccess point 222 and, at 280D, the user equipment 207 can establish aconnection with the access point 222. At 280E, the MEC device 230 cansimilarly provide a validation message to the access point 232. Forexample, the MEC devices 220 and 230 can provide the validation messagesto the access points 222 and 232 in a manner similar to that describedabove with respect to the network system 200 of FIG. 2A. As an example,each validation message can correspond to the encryption data providedby the blockchain controller 205 to the user equipment 207.

At 280F, the user equipment 207, the access point 222, and/or the accesspoint 232 can determine that a handover of the user equipment 207 to theaccess point 232 is needed. At 280G, the access point 232 can provide anotification to the MEC device 230 regarding an upcoming handover, andat 280H, the MEC device 230 can provide a notification to the blockchaincontroller 205 regarding the upcoming handover. In various embodiments,the MEC device 230 can, based on the notification provided by the accesspoint 232, update one or more entries (associated with the userequipment 207) in a data structure, e.g., for purposes of user equipmentmonitoring and management, such as for facilitating potential futurehandovers. In some embodiments, the blockchain controller 205 can, basedon the notification provided by the MEC device 230, confirm whether theuser equipment 207 has already been registered or authenticated, e.g.,similar to that described above with respect to the network system 200of FIG. 2A.

At 280J, the user equipment 207 can establish a connection with theaccess point 232 and, at 280K, the user equipment 207 can disconnectfrom the access point 222. At 280L, the access point 222 can provide anotification to the MEC device 220 regarding the handover and/or thedisconnection from the user equipment 207. The MEC device 220 can, basedon the notification provided by the access point 222, update one or moreentries (associated with the user equipment 207) in a data structure,e.g., for purposes of user equipment monitoring and management, such asfor handling potential future handovers.

FIG. 2D depicts an illustrative embodiment of a method 290 in accordancewith various aspects described herein. In some embodiments, one or moreprocess blocks of FIG. 2D can be performed by a MEC device, such as theMEC Hub device 210 or one of the MEC devices 220, 230, and 240. In someembodiments, one or more process blocks of FIG. 2D may be performed byanother device or a group of devices separate from or including the MECdevice, such as the blockchain controller 205, the user equipment 207,the user equipment 208, the access point(s) 212, 213, 222, 232, and/or242, the BC agent(s) 214, 224, 234, and/or 244, and/or the core network245.

At 290A, the method can include receiving data relating to a userequipment, where the user equipment is communicatively coupled to afirst access point of a network. For example, the MEC Hub device 210 canreceive data relating to the user equipment 207 in a manner similar tothat described above with respect to the network system 200 of FIG. 2A,where the user equipment 207 can be communicatively coupled to theaccess point 212.

At 290B, the method can include receiving an authentication informationvector. For example, the MEC Hub device 210 can receive anauthentication information vector from the blockchain controller 205 ina manner similar to that described above with respect to the networksystem 200 of FIG. 2A.

At 290C, the method can include determining that the authenticationinformation vector corresponds to the user equipment. For example, theMEC Hub device 210 can determine that the authentication informationvector corresponds to the user equipment 207 in a manner similar to thatdescribed above with respect to the network system 200 of FIG. 2A.

At 290D, the method can include generating a validation message. Forexample, the MEC Hub device 210 can generate a validation message in amanner similar to that described above with respect to the networksystem 200 of FIG. 2A.

At 290E, the method can include transmitting the validation message to asecond access point, where the validation message enables the secondaccess point to proceed with a handover for the user equipment withoutundergoing a handover authentication procedure. For example, the MEC Hubdevice 210 can transmit the validation message to the access point 213in a manner similar to that described above with respect to the networksystem 200 of FIG. 2A and/or data flow 270 of FIG. 2B, where thevalidation message enables the access point 213 to proceed with ahandover for the user equipment 207 without undergoing a handoverauthentication procedure.

While for purposes of simplicity of explanation, the respectiveprocesses are shown and described as a series of blocks in FIG. 2D, itis to be understood and appreciated that the claimed subject matter isnot limited by the order of the blocks, as some blocks may occur indifferent orders and/or concurrently with other blocks from what isdepicted and described herein. Moreover, not all illustrated blocks maybe required to implement the methods described herein.

FIG. 2E depicts an illustrative embodiment of a method 295 in accordancewith various aspects described herein. In some embodiments, one or moreprocess blocks of FIG. 2E can be performed by a blockchain controller,such as the blockchain controller 205. In some embodiments, one or moreprocess blocks of FIG. 2E may be performed by another device or a groupof devices separate from or including the blockchain controller, such asthe MEC Hub device 210, the MEC device(s) 220, 230, and/or 240, the userequipment 207, the user equipment 208, the access point(s) 212, 213,222, 232, and/or 242, the BC agent(s) 214, 224, 234, and/or 244, and/orthe core network 245.

At 295A, the method can include receiving data relating to a userequipment, where the user equipment is communicatively coupled to anaccess point associated with a first cell of a network. For example, theblockchain controller 205 can receive data relating to the userequipment 207 in a manner similar to that described above with respectto the network system 200 of FIG. 2A, where the user equipment 207 canbe communicatively coupled to the access point 212 in the cell A1.

At 295B, the method can include authenticating the user equipmentaccording to the data relating to the user equipment. For example, theblockchain controller 205 can authenticate the user equipment 207according to the data relating to the user equipment 207 in a mannersimilar to that described above with respect to the network system 200of FIG. 2A.

At 295C, the method can include providing encryption data to the userequipment. For example, the blockchain controller 205 can provideencryption data to the user equipment 207 in a manner similar to thatdescribed above with respect to the network system 200 of FIG. 2A.

At 295D, the method can include transmitting an authenticationinformation vector to a first MEC device, where the authenticationinformation vector corresponds to the encryption data and enables thefirst MEC device to facilitate one or more other access pointsassociated with the first cell in performing handover(s) for the userequipment without a need for handover authentication procedures. Forexample, the blockchain controller 205 can transmit an authenticationinformation vector to the MEC Hub device 210 in a manner similar to thatdescribed above with respect to the network system 200 of FIG. 2A, wherethe authentication information vector corresponds to the encryption dataand enables the MEC Hub device 210 to facilitate the access points 212and/or 213 in performing handovers for the user equipment 207 without aneed for handover authentication procedures.

While for purposes of simplicity of explanation, the respectiveprocesses are shown and described as a series of blocks in FIG. 2E, itis to be understood and appreciated that the claimed subject matter isnot limited by the order of the blocks, as some blocks may occur indifferent orders and/or concurrently with other blocks from what isdepicted and described herein. Moreover, not all illustrated blocks maybe required to implement the methods described herein.

Referring now to FIG. 3 , a block diagram 300 is shown illustrating anexample, non-limiting embodiment of a virtualized communication networkin accordance with various aspects described herein. In particular avirtualized communication network is presented that can be used toimplement some or all of the subsystems and functions of communicationnetwork 100, the subsystems and functions of network system 200, dataflows 270 and 280, and methods 290 and 295 presented in FIGS. 1, 2A, 2B,2C, 2D, and 2E. For example, virtualized communication network 300 canfacilitate in whole or in part secure and efficient federatedblockchain-enabled handover authentication for user equipment in aheterogeneous network.

In particular, a cloud networking architecture is shown that leveragescloud technologies and supports rapid innovation and scalability via atransport layer 350, a virtualized network function cloud 325 and/or oneor more cloud computing environments 375. In various embodiments, thiscloud networking architecture is an open architecture that leveragesapplication programming interfaces (APIs); reduces complexity fromservices and operations; supports more nimble business models; andrapidly and seamlessly scales to meet evolving customer requirementsincluding traffic growth, diversity of traffic types, and diversity ofperformance and reliability expectations.

In contrast to traditional network elements—which are typicallyintegrated to perform a single function, the virtualized communicationnetwork employs virtual network elements (VNEs) 330, 332, 334, etc. thatperform some or all of the functions of network elements 150, 152, 154,156, etc. For example, the network architecture can provide a substrateof networking capability, often called Network Function VirtualizationInfrastructure (NFVI) or simply infrastructure that is capable of beingdirected with software and Software Defined Networking (SDN) protocolsto perform a broad variety of network functions and services. Thisinfrastructure can include several types of substrates. The most typicaltype of substrate being servers that support Network FunctionVirtualization (NFV), followed by packet forwarding capabilities basedon generic computing resources, with specialized network technologiesbrought to bear when general purpose processors or general purposeintegrated circuit devices offered by merchants (referred to herein asmerchant silicon) are not appropriate. In this case, communicationservices can be implemented as cloud-centric workloads.

As an example, a traditional network element 150 (shown in FIG. 1 ),such as an edge router can be implemented via a VNE 330 composed of NFVsoftware modules, merchant silicon, and associated controllers. Thesoftware can be written so that increasing workload consumes incrementalresources from a common resource pool, and moreover so that it'selastic: so the resources are only consumed when needed. In a similarfashion, other network elements such as other routers, switches, edgecaches, and middle-boxes are instantiated from the common resource pool.Such sharing of infrastructure across a broad set of uses makes planningand growing infrastructure easier to manage.

In an embodiment, the transport layer 350 includes fiber, cable, wiredand/or wireless transport elements, network elements and interfaces toprovide broadband access 110, wireless access 120, voice access 130,media access 140 and/or access to content sources 175 for distributionof content to any or all of the access technologies. In particular, insome cases a network element needs to be positioned at a specific place,and this allows for less sharing of common infrastructure. Other times,the network elements have specific physical layer adapters that cannotbe abstracted or virtualized, and might require special DSP code andanalog front-ends (AFEs) that do not lend themselves to implementationas VNEs 330, 332 or 334. These network elements can be included intransport layer 350.

The virtualized network function cloud 325 interfaces with the transportlayer 350 to provide the VNEs 330, 332, 334, etc. to provide specificNFVs. In particular, the virtualized network function cloud 325leverages cloud operations, applications, and architectures to supportnetworking workloads. The virtualized network elements 330, 332 and 334can employ network function software that provides either a one-for-onemapping of traditional network element function or alternately somecombination of network functions designed for cloud computing. Forexample, VNEs 330, 332 and 334 can include route reflectors, domain namesystem (DNS) servers, and dynamic host configuration protocol (DHCP)servers, system architecture evolution (SAE) and/or mobility managemententity (MME) gateways, broadband network gateways, IP edge routers forIP-VPN, Ethernet and other services, load balancers, distributers andother network elements. Because these elements don't typically need toforward large amounts of traffic, their workload can be distributedacross a number of servers—each of which adds a portion of thecapability, and overall which creates an elastic function with higheravailability than its former monolithic version. These virtual networkelements 330, 332, 334, etc. can be instantiated and managed using anorchestration approach similar to those used in cloud compute services.

The cloud computing environments 375 can interface with the virtualizednetwork function cloud 325 via APIs that expose functional capabilitiesof the VNEs 330, 332, 334, etc. to provide the flexible and expandedcapabilities to the virtualized network function cloud 325. Inparticular, network workloads may have applications distributed acrossthe virtualized network function cloud 325 and cloud computingenvironment 375 and in the commercial cloud, or might simply orchestrateworkloads supported entirely in NFV infrastructure from these thirdparty locations.

Turning now to FIG. 4 , there is illustrated a block diagram of acomputing environment in accordance with various aspects describedherein. In order to provide additional context for various embodimentsof the embodiments described herein, FIG. 4 and the following discussionare intended to provide a brief, general description of a suitablecomputing environment 400 in which the various embodiments of thesubject disclosure can be implemented. In particular, computingenvironment 400 can be used in the implementation of network elements150, 152, 154, 156, access terminal 112, base station or access point122, switching device 132, media terminal 142, and/or VNEs 330, 332,334, etc. Each of these devices can be implemented viacomputer-executable instructions that can run on one or more computers,and/or in combination with other program modules and/or as a combinationof hardware and software. For example, computing environment 400 canfacilitate in whole or in part secure and efficient federatedblockchain-enabled handover authentication for user equipment in aheterogeneous network.

Generally, program modules comprise routines, programs, components, datastructures, etc., that perform particular tasks or implement particularabstract data types. Moreover, those skilled in the art will appreciatethat the methods can be practiced with other computer systemconfigurations, comprising single-processor or multiprocessor computersystems, minicomputers, mainframe computers, as well as personalcomputers, hand-held computing devices, microprocessor-based orprogrammable consumer electronics, and the like, each of which can beoperatively coupled to one or more associated devices.

As used herein, a processing circuit includes one or more processors aswell as other application specific circuits such as an applicationspecific integrated circuit, digital logic circuit, state machine,programmable gate array or other circuit that processes input signals ordata and that produces output signals or data in response thereto. Itshould be noted that while any functions and features described hereinin association with the operation of a processor could likewise beperformed by a processing circuit.

The illustrated embodiments of the embodiments herein can be alsopracticed in distributed computing environments where certain tasks areperformed by remote processing devices that are linked through acommunications network. In a distributed computing environment, programmodules can be located in both local and remote memory storage devices.

Computing devices typically comprise a variety of media, which cancomprise computer-readable storage media and/or communications media,which two terms are used herein differently from one another as follows.Computer-readable storage media can be any available storage media thatcan be accessed by the computer and comprises both volatile andnonvolatile media, removable and non-removable media. By way of example,and not limitation, computer-readable storage media can be implementedin connection with any method or technology for storage of informationsuch as computer-readable instructions, program modules, structured dataor unstructured data.

Computer-readable storage media can comprise, but are not limited to,random access memory (RAM), read only memory (ROM), electricallyerasable programmable read only memory (EEPROM), flash memory or othermemory technology, compact disk read only memory (CD-ROM), digitalversatile disk (DVD) or other optical disk storage, magnetic cassettes,magnetic tape, magnetic disk storage or other magnetic storage devicesor other tangible and/or non-transitory media which can be used to storedesired information. In this regard, the terms “tangible” or“non-transitory” herein as applied to storage, memory orcomputer-readable media, are to be understood to exclude onlypropagating transitory signals per se as modifiers and do not relinquishrights to all standard storage, memory or computer-readable media thatare not only propagating transitory signals per se.

Computer-readable storage media can be accessed by one or more local orremote computing devices, e.g., via access requests, queries or otherdata retrieval protocols, for a variety of operations with respect tothe information stored by the medium.

Communications media typically embody computer-readable instructions,data structures, program modules or other structured or unstructureddata in a data signal such as a modulated data signal, e.g., a carrierwave or other transport mechanism, and comprises any informationdelivery or transport media. The term “modulated data signal” or signalsrefers to a signal that has one or more of its characteristics set orchanged in such a manner as to encode information in one or moresignals. By way of example, and not limitation, communication mediacomprise wired media, such as a wired network or direct-wiredconnection, and wireless media such as acoustic, RF, infrared and otherwireless media.

With reference again to FIG. 4 , the example environment can comprise acomputer 402, the computer 402 comprising a processing unit 404, asystem memory 406 and a system bus 408. The system bus 408 couplessystem components including, but not limited to, the system memory 406to the processing unit 404. The processing unit 404 can be any ofvarious commercially available processors. Dual microprocessors andother multiprocessor architectures can also be employed as theprocessing unit 404.

The system bus 408 can be any of several types of bus structure that canfurther interconnect to a memory bus (with or without a memorycontroller), a peripheral bus, and a local bus using any of a variety ofcommercially available bus architectures. The system memory 406comprises ROM 410 and RAM 412. A basic input/output system (BIOS) can bestored in a non-volatile memory such as ROM, erasable programmable readonly memory (EPROM), EEPROM, which BIOS contains the basic routines thathelp to transfer information between elements within the computer 402,such as during startup. The RAM 412 can also comprise a high-speed RAMsuch as static RAM for caching data.

The computer 402 further comprises an internal hard disk drive (HDD) 414(e.g., EIDE, SATA), which internal HDD 414 can also be configured forexternal use in a suitable chassis (not shown), a magnetic floppy diskdrive (FDD) 416, (e.g., to read from or write to a removable diskette418) and an optical disk drive 420, (e.g., reading a CD-ROM disk 422 or,to read from or write to other high capacity optical media such as theDVD). The HDD 414, magnetic FDD 416 and optical disk drive 420 can beconnected to the system bus 408 by a hard disk drive interface 424, amagnetic disk drive interface 426 and an optical drive interface 428,respectively. The hard disk drive interface 424 for external driveimplementations comprises at least one or both of Universal Serial Bus(USB) and Institute of Electrical and Electronics Engineers (IEEE) 1394interface technologies. Other external drive connection technologies arewithin contemplation of the embodiments described herein.

The drives and their associated computer-readable storage media providenonvolatile storage of data, data structures, computer-executableinstructions, and so forth. For the computer 402, the drives and storagemedia accommodate the storage of any data in a suitable digital format.Although the description of computer-readable storage media above refersto a hard disk drive (HDD), a removable magnetic diskette, and aremovable optical media such as a CD or DVD, it should be appreciated bythose skilled in the art that other types of storage media which arereadable by a computer, such as zip drives, magnetic cassettes, flashmemory cards, cartridges, and the like, can also be used in the exampleoperating environment, and further, that any such storage media cancontain computer-executable instructions for performing the methodsdescribed herein.

A number of program modules can be stored in the drives and RAM 412,comprising an operating system 430, one or more application programs432, other program modules 434 and program data 436. All or portions ofthe operating system, applications, modules, and/or data can also becached in the RAM 412. The systems and methods described herein can beimplemented utilizing various commercially available operating systemsor combinations of operating systems.

A user can enter commands and information into the computer 402 throughone or more wired/wireless input devices, e.g., a keyboard 438 and apointing device, such as a mouse 440. Other input devices (not shown)can comprise a microphone, an infrared (IR) remote control, a joystick,a game pad, a stylus pen, touch screen or the like. These and otherinput devices are often connected to the processing unit 404 through aninput device interface 442 that can be coupled to the system bus 408,but can be connected by other interfaces, such as a parallel port, anIEEE 1394 serial port, a game port, a universal serial bus (USB) port,an IR interface, etc.

A monitor 444 or other type of display device can be also connected tothe system bus 408 via an interface, such as a video adapter 446. Itwill also be appreciated that in alternative embodiments, a monitor 444can also be any display device (e.g., another computer having a display,a smart phone, a tablet computer, etc.) for receiving displayinformation associated with computer 402 via any communication means,including via the Internet and cloud-based networks. In addition to themonitor 444, a computer typically comprises other peripheral outputdevices (not shown), such as speakers, printers, etc.

The computer 402 can operate in a networked environment using logicalconnections via wired and/or wireless communications to one or moreremote computers, such as a remote computer(s) 448. The remotecomputer(s) 448 can be a workstation, a server computer, a router, apersonal computer, portable computer, microprocessor-based entertainmentappliance, a peer device or other common network node, and typicallycomprises many or all of the elements described relative to the computer402, although, for purposes of brevity, only a remote memory/storagedevice 450 is illustrated. The logical connections depicted comprisewired/wireless connectivity to a local area network (LAN) 452 and/orlarger networks, e.g., a wide area network (WAN) 454. Such LAN and WANnetworking environments are commonplace in offices and companies, andfacilitate enterprise-wide computer networks, such as intranets, all ofwhich can connect to a global communications network, e.g., theInternet.

When used in a LAN networking environment, the computer 402 can beconnected to the LAN 452 through a wired and/or wireless communicationnetwork interface or adapter 456. The adapter 456 can facilitate wiredor wireless communication to the LAN 452, which can also comprise awireless AP disposed thereon for communicating with the adapter 456.

When used in a WAN networking environment, the computer 402 can comprisea modem 458 or can be connected to a communications server on the WAN454 or has other means for establishing communications over the WAN 454,such as by way of the Internet. The modem 458, which can be internal orexternal and a wired or wireless device, can be connected to the systembus 408 via the input device interface 442. In a networked environment,program modules depicted relative to the computer 402 or portionsthereof, can be stored in the remote memory/storage device 450. It willbe appreciated that the network connections shown are example and othermeans of establishing a communications link between the computers can beused.

The computer 402 can be operable to communicate with any wirelessdevices or entities operatively disposed in wireless communication,e.g., a printer, scanner, desktop and/or portable computer, portabledata assistant, communications satellite, any piece of equipment orlocation associated with a wirelessly detectable tag (e.g., a kiosk,news stand, restroom), and telephone. This can comprise WirelessFidelity (Wi-Fi) and BLUETOOTH® wireless technologies. Thus, thecommunication can be a predefined structure as with a conventionalnetwork or simply an ad hoc communication between at least two devices.

Wi-Fi can allow connection to the Internet from a couch at home, a bedin a hotel room or a conference room at work, without wires. Wi-Fi is awireless technology similar to that used in a cell phone that enablessuch devices, e.g., computers, to send and receive data indoors and out;anywhere within the range of a base station. Wi-Fi networks use radiotechnologies called IEEE 802.11 (a, b, g, n, ac, ag, etc.) to providesecure, reliable, fast wireless connectivity. A Wi-Fi network can beused to connect computers to each other, to the Internet, and to wirednetworks (which can use IEEE 802.3 or Ethernet). Wi-Fi networks operatein the unlicensed 2.4 and 5 GHz radio bands for example or with productsthat contain both bands (dual band), so the networks can providereal-world performance similar to the basic 10BaseT wired Ethernetnetworks used in many offices.

Turning now to FIG. 5 , an embodiment 500 of a mobile network platform510 is shown that is an example of network elements 150, 152, 154, 156,and/or VNEs 330, 332, 334, etc. For example, platform 510 can facilitatein whole or in part secure and efficient federated blockchain-enabledhandover authentication for user equipment in a heterogeneous network.

In one or more embodiments, the mobile network platform 510 can generateand receive signals transmitted and received by base stations or accesspoints such as base station or access point 122. Generally, mobilenetwork platform 510 can comprise components, e.g., nodes, gateways,interfaces, servers, or disparate platforms, that facilitate bothpacket-switched (PS) (e.g., internet protocol (IP), frame relay,asynchronous transfer mode (ATM)) and circuit-switched (CS) traffic(e.g., voice and data), as well as control generation for networkedwireless telecommunication. As a non-limiting example, mobile networkplatform 510 can be included in telecommunications carrier networks, andcan be considered carrier-side components as discussed elsewhere herein.Mobile network platform 510 comprises CS gateway node(s) 512 which caninterface CS traffic received from legacy networks like telephonynetwork(s) 540 (e.g., public switched telephone network (PSTN), orpublic land mobile network (PLMN)) or a signaling system #7 (SS7)network 560. CS gateway node(s) 512 can authorize and authenticatetraffic (e.g., voice) arising from such networks. Additionally, CSgateway node(s) 512 can access mobility, or roaming, data generatedthrough SS7 network 560; for instance, mobility data stored in a visitedlocation register (VLR), which can reside in memory 530. Moreover, CSgateway node(s) 512 interfaces CS-based traffic and signaling and PSgateway node(s) 518. As an example, in a 3GPP UMTS network, CS gatewaynode(s) 512 can be realized at least in part in gateway GPRS supportnode(s) (GGSN). It should be appreciated that functionality and specificoperation of CS gateway node(s) 512, PS gateway node(s) 518, and servingnode(s) 516, is provided and dictated by radio technology(ies) utilizedby mobile network platform 510 for telecommunication over a radio accessnetwork 520 with other devices, such as a radiotelephone 575.

In addition to receiving and processing CS-switched traffic andsignaling, PS gateway node(s) 518 can authorize and authenticatePS-based data sessions with served mobile devices. Data sessions cancomprise traffic, or content(s), exchanged with networks external to themobile network platform 510, like wide area network(s) (WANs) 550,enterprise network(s) 570, and service network(s) 580, which can beembodied in local area network(s) (LANs), can also be interfaced withmobile network platform 510 through PS gateway node(s) 518. It is to benoted that WANs 550 and enterprise network(s) 570 can embody, at leastin part, a service network(s) like IP multimedia subsystem (IMS). Basedon radio technology layer(s) available in technology resource(s) orradio access network 520, PS gateway node(s) 518 can generate packetdata protocol contexts when a data session is established; other datastructures that facilitate routing of packetized data also can begenerated. To that end, in an aspect, PS gateway node(s) 518 cancomprise a tunnel interface (e.g., tunnel termination gateway (TTG) in3GPP UMTS network(s) (not shown)) which can facilitate packetizedcommunication with disparate wireless network(s), such as Wi-Finetworks.

In embodiment 500, mobile network platform 510 also comprises servingnode(s) 516 that, based upon available radio technology layer(s) withintechnology resource(s) in the radio access network 520, convey thevarious packetized flows of data streams received through PS gatewaynode(s) 518. It is to be noted that for technology resource(s) that relyprimarily on CS communication, server node(s) can deliver trafficwithout reliance on PS gateway node(s) 518; for example, server node(s)can embody at least in part a mobile switching center. As an example, ina 3GPP UMTS network, serving node(s) 516 can be embodied in serving GPRSsupport node(s) (SGSN).

For radio technologies that exploit packetized communication, server(s)514 in mobile network platform 510 can execute numerous applicationsthat can generate multiple disparate packetized data streams or flows,and manage (e.g., schedule, queue, format . . . ) such flows. Suchapplication(s) can comprise add-on features to standard services (forexample, provisioning, billing, customer support . . . ) provided bymobile network platform 510. Data streams (e.g., content(s) that arepart of a voice call or data session) can be conveyed to PS gatewaynode(s) 518 for authorization/authentication and initiation of a datasession, and to serving node(s) 516 for communication thereafter. Inaddition to application server, server(s) 514 can comprise utilityserver(s), a utility server can comprise a provisioning server, anoperations and maintenance server, a security server that can implementat least in part a certificate authority and firewalls as well as othersecurity mechanisms, and the like. In an aspect, security server(s)secure communication served through mobile network platform 510 toensure network's operation and data integrity in addition toauthorization and authentication procedures that CS gateway node(s) 512and PS gateway node(s) 518 can enact. Moreover, provisioning server(s)can provision services from external network(s) like networks operatedby a disparate service provider; for instance, WAN 550 or GlobalPositioning System (GPS) network(s) (not shown). Provisioning server(s)can also provision coverage through networks associated to mobilenetwork platform 510 (e.g., deployed and operated by the same serviceprovider), such as the distributed antennas networks shown in FIG. 1that enhance wireless service coverage by providing more networkcoverage.

It is to be noted that server(s) 514 can comprise one or more processorsconfigured to confer at least in part the functionality of mobilenetwork platform 510. To that end, the one or more processor can executecode instructions stored in memory 530, for example. It is should beappreciated that server(s) 514 can comprise a content manager, whichoperates in substantially the same manner as described hereinbefore.

In example embodiment 500, memory 530 can store information related tooperation of mobile network platform 510. Other operational informationcan comprise provisioning information of mobile devices served throughmobile network platform 510, subscriber databases; applicationintelligence, pricing schemes, e.g., promotional rates, flat-rateprograms, couponing campaigns; technical specification(s) consistentwith telecommunication protocols for operation of disparate radio, orwireless, technology layers; and so forth. Memory 530 can also storeinformation from at least one of telephony network(s) 540, WAN 550, SS7network 560, or enterprise network(s) 570. In an aspect, memory 530 canbe, for example, accessed as part of a data store component or as aremotely connected memory store.

In order to provide a context for the various aspects of the disclosedsubject matter, FIG. 5 , and the following discussion, are intended toprovide a brief, general description of a suitable environment in whichthe various aspects of the disclosed subject matter can be implemented.While the subject matter has been described above in the general contextof computer-executable instructions of a computer program that runs on acomputer and/or computers, those skilled in the art will recognize thatthe disclosed subject matter also can be implemented in combination withother program modules. Generally, program modules comprise routines,programs, components, data structures, etc. that perform particulartasks and/or implement particular abstract data types.

Turning now to FIG. 6 , an illustrative embodiment of a communicationdevice 600 is shown. The communication device 600 can serve as anillustrative embodiment of devices such as data terminals 114, mobiledevices 124, vehicle 126, display devices 144 or other client devicesfor communication via either communications network 125. For example,communication device 600 can facilitate in whole or in part secure andefficient federated blockchain-enabled handover authentication for userequipment in a heterogeneous network.

The communication device 600 can comprise a wireline and/or wirelesstransceiver 602 (herein transceiver 602), a user interface (UI) 604, apower supply 614, a location receiver 616, a motion sensor 618, anorientation sensor 620, and a controller 606 for managing operationsthereof. The transceiver 602 can support short-range or long-rangewireless access technologies such as Bluetooth®, ZigBee®, WiFi, DECT, orcellular communication technologies, just to mention a few (Bluetooth®and ZigBee® are trademarks registered by the Bluetooth® Special InterestGroup and the ZigBee® Alliance, respectively). Cellular technologies caninclude, for example, CDMA-1×, UMTS/HSDPA, GSM/GPRS, TDMA/EDGE, EV/DO,WiMAX, SDR, LTE, as well as other next generation wireless communicationtechnologies as they arise. The transceiver 602 can also be adapted tosupport circuit-switched wireline access technologies (such as PSTN),packet-switched wireline access technologies (such as TCP/IP, VoIP,etc.), and combinations thereof.

The UI 604 can include a depressible or touch-sensitive keypad 608 witha navigation mechanism such as a roller ball, a joystick, a mouse, or anavigation disk for manipulating operations of the communication device600. The keypad 608 can be an integral part of a housing assembly of thecommunication device 600 or an independent device operably coupledthereto by a tethered wireline interface (such as a USB cable) or awireless interface supporting for example Bluetooth®. The keypad 608 canrepresent a numeric keypad commonly used by phones, and/or a QWERTYkeypad with alphanumeric keys. The UI 604 can further include a display610 such as monochrome or color LCD (Liquid Crystal Display), OLED(Organic Light Emitting Diode) or other suitable display technology forconveying images to an end user of the communication device 600. In anembodiment where the display 610 is touch-sensitive, a portion or all ofthe keypad 608 can be presented by way of the display 610 withnavigation features.

The display 610 can use touch screen technology to also serve as a userinterface for detecting user input. As a touch screen display, thecommunication device 600 can be adapted to present a user interfacehaving graphical user interface (GUI) elements that can be selected by auser with a touch of a finger. The display 610 can be equipped withcapacitive, resistive or other forms of sensing technology to detect howmuch surface area of a user's finger has been placed on a portion of thetouch screen display. This sensing information can be used to controlthe manipulation of the GUI elements or other functions of the userinterface. The display 610 can be an integral part of the housingassembly of the communication device 600 or an independent devicecommunicatively coupled thereto by a tethered wireline interface (suchas a cable) or a wireless interface.

The UI 604 can also include an audio system 612 that utilizes audiotechnology for conveying low volume audio (such as audio heard inproximity of a human ear) and high volume audio (such as speakerphonefor hands free operation). The audio system 612 can further include amicrophone for receiving audible signals of an end user. The audiosystem 612 can also be used for voice recognition applications. The UI604 can further include an image sensor 613 such as a charged coupleddevice (CCD) camera for capturing still or moving images.

The power supply 614 can utilize common power management technologiessuch as replaceable and rechargeable batteries, supply regulationtechnologies, and/or charging system technologies for supplying energyto the components of the communication device 600 to facilitatelong-range or short-range portable communications. Alternatively, or incombination, the charging system can utilize external power sources suchas DC power supplied over a physical interface such as a USB port orother suitable tethering technologies.

The location receiver 616 can utilize location technology such as aglobal positioning system (GPS) receiver capable of assisted GPS foridentifying a location of the communication device 600 based on signalsgenerated by a constellation of GPS satellites, which can be used forfacilitating location services such as navigation. The motion sensor 618can utilize motion sensing technology such as an accelerometer, agyroscope, or other suitable motion sensing technology to detect motionof the communication device 600 in three-dimensional space. Theorientation sensor 620 can utilize orientation sensing technology suchas a magnetometer to detect the orientation of the communication device600 (north, south, west, and east, as well as combined orientations indegrees, minutes, or other suitable orientation metrics).

The communication device 600 can use the transceiver 602 to alsodetermine a proximity to a cellular, WiFi, Bluetooth®, or other wirelessaccess points by sensing techniques such as utilizing a received signalstrength indicator (RSSI) and/or signal time of arrival (TOA) or time offlight (TOF) measurements. The controller 606 can utilize computingtechnologies such as a microprocessor, a digital signal processor (DSP),programmable gate arrays, application specific integrated circuits,and/or a video processor with associated storage memory such as Flash,ROM, RAM, SRAM, DRAM or other storage technologies for executingcomputer instructions, controlling, and processing data supplied by theaforementioned components of the communication device 600.

Other components not shown in FIG. 6 can be used in one or moreembodiments of the subject disclosure. For instance, the communicationdevice 600 can include a slot for adding or removing an identity modulesuch as a Subscriber Identity Module (SIM) card or Universal IntegratedCircuit Card (UICC). SIM or UICC cards can be used for identifyingsubscriber services, executing programs, storing subscriber data, and soon.

The terms “first,” “second,” “third,” and so forth, as used in theclaims, unless otherwise clear by context, is for clarity only anddoesn't otherwise indicate or imply any order in time. For instance, “afirst determination,” “a second determination,” and “a thirddetermination,” does not indicate or imply that the first determinationis to be made before the second determination, or vice versa, etc.

In the subject specification, terms such as “store,” “storage,” “datastore,” data storage,” “database,” and substantially any otherinformation storage component relevant to operation and functionality ofa component, refer to “memory components,” or entities embodied in a“memory” or components comprising the memory. It will be appreciatedthat the memory components described herein can be either volatilememory or nonvolatile memory, or can comprise both volatile andnonvolatile memory, by way of illustration, and not limitation, volatilememory, non-volatile memory, disk storage, and memory storage. Further,nonvolatile memory can be included in read only memory (ROM),programmable ROM (PROM), electrically programmable ROM (EPROM),electrically erasable ROM (EEPROM), or flash memory. Volatile memory cancomprise random access memory (RAM), which acts as external cachememory. By way of illustration and not limitation, RAM is available inmany forms such as synchronous RAM (SRAM), dynamic RAM (DRAM),synchronous DRAM (SDRAM), double data rate SDRAM (DDR SDRAM), enhancedSDRAM (ESDRAM), Synchlink DRAM (SLDRAM), and direct Rambus RAM (DRRAM).Additionally, the disclosed memory components of systems or methodsherein are intended to comprise, without being limited to comprising,these and any other suitable types of memory.

Moreover, it will be noted that the disclosed subject matter can bepracticed with other computer system configurations, comprisingsingle-processor or multiprocessor computer systems, mini-computingdevices, mainframe computers, as well as personal computers, hand-heldcomputing devices (e.g., PDA, phone, smartphone, watch, tabletcomputers, netbook computers, etc.), microprocessor-based orprogrammable consumer or industrial electronics, and the like. Theillustrated aspects can also be practiced in distributed computingenvironments where tasks are performed by remote processing devices thatare linked through a communications network; however, some if not allaspects of the subject disclosure can be practiced on stand-alonecomputers. In a distributed computing environment, program modules canbe located in both local and remote memory storage devices.

In one or more embodiments, information regarding use of services can begenerated including services being accessed, media consumption history,user preferences, and so forth. This information can be obtained byvarious methods including user input, detecting types of communications(e.g., video content vs. audio content), analysis of content streams,sampling, and so forth. The generating, obtaining and/or monitoring ofthis information can be responsive to an authorization provided by theuser. In one or more embodiments, an analysis of data can be subject toauthorization from user(s) associated with the data, such as an opt-in,an opt-out, acknowledgement requirements, notifications, selectiveauthorization based on types of data, and so forth.

Some of the embodiments described herein can also employ artificialintelligence (AI) to facilitate automating one or more featuresdescribed herein. The embodiments (e.g., in connection withautomatically identifying acquired cell sites that provide a maximumvalue/benefit after addition to an existing communication network) canemploy various AI-based schemes for carrying out various embodimentsthereof. Moreover, the classifier can be employed to determine a rankingor priority of each cell site of the acquired network. A classifier is afunction that maps an input attribute vector, x=(x1, x2, x3, x4, . . . ,xn), to a confidence that the input belongs to a class, that is,f(x)=confidence (class). Such classification can employ a probabilisticand/or statistical-based analysis (e.g., factoring into the analysisutilities and costs) to determine or infer an action that a user desiresto be automatically performed. A support vector machine (SVM) is anexample of a classifier that can be employed. The SVM operates byfinding a hypersurface in the space of possible inputs, which thehypersurface attempts to split the triggering criteria from thenon-triggering events. Intuitively, this makes the classificationcorrect for testing data that is near, but not identical to trainingdata. Other directed and undirected model classification approachescomprise, e.g., naïve Bayes, Bayesian networks, decision trees, neuralnetworks, fuzzy logic models, and probabilistic classification modelsproviding different patterns of independence can be employed.Classification as used herein also is inclusive of statisticalregression that is utilized to develop models of priority.

As will be readily appreciated, one or more of the embodiments canemploy classifiers that are explicitly trained (e.g., via a generictraining data) as well as implicitly trained (e.g., via observing UEbehavior, operator preferences, historical information, receivingextrinsic information). For example, SVMs can be configured via alearning or training phase within a classifier constructor and featureselection module. Thus, the classifier(s) can be used to automaticallylearn and perform a number of functions, including but not limited todetermining according to predetermined criteria which of the acquiredcell sites will benefit a maximum number of subscribers and/or which ofthe acquired cell sites will add minimum value to the existingcommunication network coverage, etc.

As used in some contexts in this application, in some embodiments, theterms “component,” “system” and the like are intended to refer to, orcomprise, a computer-related entity or an entity related to anoperational apparatus with one or more specific functionalities, whereinthe entity can be either hardware, a combination of hardware andsoftware, software, or software in execution. As an example, a componentmay be, but is not limited to being, a process running on a processor, aprocessor, an object, an executable, a thread of execution,computer-executable instructions, a program, and/or a computer. By wayof illustration and not limitation, both an application running on aserver and the server can be a component. One or more components mayreside within a process and/or thread of execution and a component maybe localized on one computer and/or distributed between two or morecomputers. In addition, these components can execute from variouscomputer readable media having various data structures stored thereon.The components may communicate via local and/or remote processes such asin accordance with a signal having one or more data packets (e.g., datafrom one component interacting with another component in a local system,distributed system, and/or across a network such as the Internet withother systems via the signal). As another example, a component can be anapparatus with specific functionality provided by mechanical partsoperated by electric or electronic circuitry, which is operated by asoftware or firmware application executed by a processor, wherein theprocessor can be internal or external to the apparatus and executes atleast a part of the software or firmware application. As yet anotherexample, a component can be an apparatus that provides specificfunctionality through electronic components without mechanical parts,the electronic components can comprise a processor therein to executesoftware or firmware that confers at least in part the functionality ofthe electronic components. While various components have beenillustrated as separate components, it will be appreciated that multiplecomponents can be implemented as a single component, or a singlecomponent can be implemented as multiple components, without departingfrom example embodiments.

Further, the various embodiments can be implemented as a method,apparatus or article of manufacture using standard programming and/orengineering techniques to produce software, firmware, hardware or anycombination thereof to control a computer to implement the disclosedsubject matter. The term “article of manufacture” as used herein isintended to encompass a computer program accessible from anycomputer-readable device or computer-readable storage/communicationsmedia. For example, computer readable storage media can include, but arenot limited to, magnetic storage devices (e.g., hard disk, floppy disk,magnetic strips), optical disks (e.g., compact disk (CD), digitalversatile disk (DVD)), smart cards, and flash memory devices (e.g.,card, stick, key drive). Of course, those skilled in the art willrecognize many modifications can be made to this configuration withoutdeparting from the scope or spirit of the various embodiments.

In addition, the words “example” and “exemplary” are used herein to meanserving as an instance or illustration. Any embodiment or designdescribed herein as “example” or “exemplary” is not necessarily to beconstrued as preferred or advantageous over other embodiments ordesigns. Rather, use of the word example or exemplary is intended topresent concepts in a concrete fashion. As used in this application, theterm “or” is intended to mean an inclusive “or” rather than an exclusive“or”. That is, unless specified otherwise or clear from context, “Xemploys A or B” is intended to mean any of the natural inclusivepermutations. That is, if X employs A; X employs B; or X employs both Aand B, then “X employs A or B” is satisfied under any of the foregoinginstances. In addition, the articles “a” and “an” as used in thisapplication and the appended claims should generally be construed tomean “one or more” unless specified otherwise or clear from context tobe directed to a singular form.

Moreover, terms such as “user equipment,” “mobile station,” “mobile,”subscriber station,” “access terminal,” “terminal,” “handset,” “mobiledevice” (and/or terms representing similar terminology) can refer to awireless device utilized by a subscriber or user of a wirelesscommunication service to receive or convey data, control, voice, video,sound, gaming or substantially any data-stream or signaling-stream. Theforegoing terms are utilized interchangeably herein and with referenceto the related drawings.

Furthermore, the terms “user,” “subscriber,” “customer,” “consumer” andthe like are employed interchangeably throughout, unless contextwarrants particular distinctions among the terms. It should beappreciated that such terms can refer to human entities or automatedcomponents supported through artificial intelligence (e.g., a capacityto make inference based, at least, on complex mathematical formalisms),which can provide simulated vision, sound recognition and so forth.

As employed herein, the term “processor” can refer to substantially anycomputing processing unit or device comprising, but not limited tocomprising, single-core processors; single-processors with softwaremultithread execution capability; multi-core processors; multi-coreprocessors with software multithread execution capability; multi-coreprocessors with hardware multithread technology; parallel platforms; andparallel platforms with distributed shared memory. Additionally, aprocessor can refer to an integrated circuit, an application specificintegrated circuit (ASIC), a digital signal processor (DSP), a fieldprogrammable gate array (FPGA), a programmable logic controller (PLC), acomplex programmable logic device (CPLD), a discrete gate or transistorlogic, discrete hardware components or any combination thereof designedto perform the functions described herein. Processors can exploitnano-scale architectures such as, but not limited to, molecular andquantum-dot based transistors, switches and gates, in order to optimizespace usage or enhance performance of user equipment. A processor canalso be implemented as a combination of computing processing units.

As used herein, terms such as “data storage,” data storage,” “database,”and substantially any other information storage component relevant tooperation and functionality of a component, refer to “memorycomponents,” or entities embodied in a “memory” or components comprisingthe memory. It will be appreciated that the memory components orcomputer-readable storage media, described herein can be either volatilememory or nonvolatile memory or can include both volatile andnonvolatile memory.

What has been described above includes mere examples of variousembodiments. It is, of course, not possible to describe everyconceivable combination of components or methodologies for purposes ofdescribing these examples, but one of ordinary skill in the art canrecognize that many further combinations and permutations of the presentembodiments are possible. Accordingly, the embodiments disclosed and/orclaimed herein are intended to embrace all such alterations,modifications and variations that fall within the spirit and scope ofthe appended claims. Furthermore, to the extent that the term “includes”is used in either the detailed description or the claims, such term isintended to be inclusive in a manner similar to the term “comprising” as“comprising” is interpreted when employed as a transitional word in aclaim.

In addition, a flow diagram may include a “start” and/or “continue”indication. The “start” and “continue” indications reflect that thesteps presented can optionally be incorporated in or otherwise used inconjunction with other routines. In this context, “start” indicates thebeginning of the first step presented and may be preceded by otheractivities not specifically shown. Further, the “continue” indicationreflects that the steps presented may be performed multiple times and/ormay be succeeded by other activities not specifically shown. Further,while a flow diagram indicates a particular ordering of steps, otherorderings are likewise possible provided that the principles ofcausality are maintained.

As may also be used herein, the term(s) “operably coupled to”, “coupledto”, and/or “coupling” includes direct coupling between items and/orindirect coupling between items via one or more intervening items. Suchitems and intervening items include, but are not limited to, junctions,communication paths, components, circuit elements, circuits, functionalblocks, and/or devices. As an example of indirect coupling, a signalconveyed from a first item to a second item may be modified by one ormore intervening items by modifying the form, nature or format ofinformation in a signal, while one or more elements of the informationin the signal are nevertheless conveyed in a manner than can berecognized by the second item. In a further example of indirectcoupling, an action in a first item can cause a reaction on the seconditem, as a result of actions and/or reactions in one or more interveningitems.

Although specific embodiments have been illustrated and describedherein, it should be appreciated that any arrangement which achieves thesame or similar purpose may be substituted for the embodiments describedor shown by the subject disclosure. The subject disclosure is intendedto cover any and all adaptations or variations of various embodiments.Combinations of the above embodiments, and other embodiments notspecifically described herein, can be used in the subject disclosure.For instance, one or more features from one or more embodiments can becombined with one or more features of one or more other embodiments. Inone or more embodiments, features that are positively recited can alsobe negatively recited and excluded from the embodiment with or withoutreplacement by another structural and/or functional feature. The stepsor functions described with respect to the embodiments of the subjectdisclosure can be performed in any order. The steps or functionsdescribed with respect to the embodiments of the subject disclosure canbe performed alone or in combination with other steps or functions ofthe subject disclosure, as well as from other embodiments or from othersteps that have not been described in the subject disclosure. Further,more than or less than all of the features described with respect to anembodiment can also be utilized.

What is claimed is:
 1. A device, comprising: a processing systemincluding a processor; and a memory that stores executable instructionsthat, when executed by the processing system, facilitate performance ofoperations, the operations comprising: obtaining data relating to a userequipment, wherein the user equipment is communicatively coupled to afirst access point of a plurality of access points, and wherein thefirst access point is associated with a first cell of a plurality ofheterogeneous cells of a network; determining that a receivedauthentication information vector associated with blockchain datacorresponds to the user equipment; generating a validation messageresponsive to the determining that the received authenticationinformation vector corresponds to the user equipment; and based onidentifying, from the data relating to the user equipment, that the userequipment is moving toward a second cell of the plurality ofheterogeneous cells, transmitting the validation message to a secondaccess point of the plurality of access points that is associated withthe second cell, wherein the validation message causes the second accesspoint to proceed with a handover for the user equipment withoutundergoing a handover authentication procedure.
 2. The device of claim1, wherein the device is located proximate to an edge of the network andprovides edge computing capabilities for the network.
 3. The device ofclaim 1, wherein the handover authentication procedure involvessubmitting verification requests to an external server device of thenetwork that performs user equipment verifications, receiving validationdata from the external server device as responses to the verificationrequests, and processing the validation data, and wherein the validationmessage causes the second access point to perform the handover for theuser equipment by not utilizing particular validation data that isreceived from the external server device for the user equipment.
 4. Thedevice of claim 1, wherein the obtaining the data relating to the userequipment comprises obtaining the data relating to the user equipmentfrom the first access point.
 5. The device of claim 1, wherein the datarelating to the user equipment includes information regarding anidentity of the user equipment.
 6. The device of claim 1, wherein thedata relating to the user equipment includes real-time measurement data.7. The device of claim 1, wherein the data relating to the userequipment includes information regarding a speed of travel of the userequipment, a direction of travel of the user equipment, a location ofthe user equipment, or any combination thereof.
 8. The device of claim1, wherein the operations further comprise identifying, from the datarelating to the user equipment, that the user equipment is moving towardthe second cell.
 9. The device of claim 1, wherein the second cell ofthe plurality of heterogeneous cells is associated with a multi-accessedge computing (MEC) device.
 10. A non-transitory machine-readablestorage device, comprising executable instructions that, when executedby a processing system including a processor, facilitate performance ofoperations, the operations comprising: providing, to a blockchaincontroller, data relating to a user equipment to authenticate the userequipment, wherein the user equipment is communicatively coupled to anetwork via a first access point, and wherein the first access point isassociated with a first cell of a plurality of heterogeneous cells ofthe network; and based on an authentication information vector receivedfrom the blockchain controller that corresponds to the user equipmentand based on determining that the user equipment is moving toward asecond cell of the plurality of heterogenous cells, communicating with asecond access point associated with the second cell, to effect ahandover for the user equipment from the first cell to the second cell,wherein the communicating prevents the second access point fromundergoing a handover authentication procedure when conducting thehandover for the user equipment.
 11. The non-transitory machine-readablestorage device of claim 10, wherein the handover authenticationprocedure involves submitting verification requests to an externalserver device of the network that performs user equipment verifications,receiving validation data from the external server device as responsesto the verification requests, and processing the validation data, andwherein the communicating prevents the second access point fromutilizing particular validation data that is received from the externalserver device for the user equipment.
 12. The non-transitorymachine-readable storage device of claim 10, wherein the data relatingto the user equipment includes information regarding an identity of theuser equipment.
 13. The non-transitory machine-readable storage deviceof claim 10, wherein the data relating to the user equipment includesinformation regarding a speed of travel of the user equipment, adirection of travel of the user equipment, a location of the userequipment, or any combination thereof.
 14. The non-transitorymachine-readable storage device of claim 10, wherein the first accesspoint employs a first radio access technology, and wherein the secondaccess point employs a second radio access technology that is differentfrom the first radio access technology.
 15. The non-transitorymachine-readable storage device of claim 10, wherein the blockchaincontroller comprises a federated blockchain network, and wherein thefederated blockchain network includes a plurality of resources spanningprivate cloud service provider (CSP) nodes and/or public blockchainnodes.
 16. A method, comprising: obtaining, by a processing systemincluding a processor, data relating to a user equipment, wherein thedata includes information identifying the user equipment, and whereinthe user equipment is communicatively coupled to a first access pointassociated with a first cell of a plurality of heterogeneous cells of anetwork; providing, by the processing system, encryption data to theuser equipment responsive to a successful authentication of the userequipment using the data relating to the user equipment; andtransmitting, by the processing system, an authentication informationvector to a first multi-access edge computing (MEC) device, wherein theauthentication information vector corresponds to the encryption data andenables the first MEC device to, based on identifying that the userequipment is traveling toward a second access point associated with thefirst cell, cause the second access point to perform a handover for theuser equipment without a need for the second access point to undergo ahandover authentication procedure.
 17. The method of claim 16, whereinthe processing system includes a federated blockchain network, andwherein the federated blockchain network includes a plurality ofresources spanning private cloud service provider (CSP) nodes and/orpublic blockchain nodes.
 18. The method of claim 16, further comprising:transmitting, by the processing system, the authentication informationvector to a second MEC device, wherein the second MEC device iscommunicatively coupled to at least one access point associated with asecond cell of the plurality of heterogeneous cells of the network, andwherein the authentication information vector enables the second MECdevice to direct the at least one access point to effect handoversinvolving the user equipment without undergoing any handoverauthentication procedures.
 19. The method of claim 16, furthercomprising: generating, by the processing system, the authenticationinformation vector responsive to the successful authentication of theuser equipment.
 20. The method of claim 16, wherein the data relating tothe user equipment includes information regarding a speed of travel ofthe user equipment, a direction of travel of the user equipment, alocation of the user equipment, or any combination thereof.